Month: March 2013

This is one of the most common ConsignPro support calls we receive. The ConsignPro settings file (cp.ini) is the second-most important file that you should be backing-up on a daily basis. If this file “goes missing,” ConsignPro will not load.

Why did this file go missing?

The most common reasons are:

[checklist]

ConsignPro stopped responding at the end of the day

Antivirus software

Automatic backup software (specifically, Carbonite)

[/checklist]

This file is manipulated by ConsignPro (cp.exe) when you close at the end of the day. The ConsignPro executable tries to rename that file to cp2.ini and then make a backup of that file named cpini.bak.

That activity can seem suspicious to antivirus programs and while ConsignPro is not a malicious program, some of the actions it takes can make it appear as though it is. When ConsignPro goes to rename that file and “work with it,” antivirus programs can see that as malicious behavior and they can delete/quarantine the cp.ini file. This is why it’s very important to select the right antivirus program and to properly configure it. The Computer Peeps recommend ESET Nod32 Antivirus.

This tends to happen more often after you update, because the file has a different signature than before AND it’s being manipulated by an executable program. So for those of you who just updated to the latest version of ConsignPro and your antivirus program has been going nuts all week, now you know why.

What we do NOT recommend doing, is installing the “New Ini” file from the ConsignPro website. All you’re doing is sweeping the issue under the rug by installing that and asking for another unlock code. Why waste your settings with a blank file, when you can restore your previous backup? Your cpini.bak file can be restored, even if it’s not the one from *yesterday*. Your cp.ini file could possibly still be in the ConsignPro directory, named cp2.ini.

It’s also very important to implement the most-appropriate backup solution as well. For ConsignPro users, The Computer Peeps recommend:

If you just throw on a program such as Carbonite and tell it to backup your entire ConsignPro folder, you are going to generate collisions. Automatic backup programs can try to work with the files as soon as there’s an update/change to them. If ConsignPro is trying to work with the file at the same time, a collision occurs and this can result in file deletion or incomplete file names/renames.

If you would like The Computer Peeps to setup a solid, reliable, compatible, and straight-forward backup system WITH email notifications AND automatic end-of-year ConsignPro backups, give us a call at (888) 374-5422 or send us a message via our Contact Us page!

[hr]

[hr]

Update 11/24/2017

I wanted to post a follow-up to this, because it’s not just antivirus that’s causing this, nor does the change Brian made @ moving settings in to the database prevent this.

ConsignPro tends to ‘crash’ at the end of the day, when you’re closing the program. The program will show Not Responding, which is usually when the person closing will click with their mouse again, which only makes it look even *more* frozen:

[hr]

[hr]

The following morning when the store opens, is when the person opening for the day will run into the ConsignPro settings file was not found error:

[hr]

[hr]

This happens because ConsignPro crashes (not doing a Try/Catch?) when renaming cp.ini to cp2.ini:

[hr]

[hr]

Which, I’m not sure why Brian chose to rename this file before copying it — it’s too many extra steps. VB can copy a file and rename it in one swoop:

[hr]

[hr]

We’ve written our own application that checks our clients’ cp.ini file every morning and alerts if it’s not there, if cp2.ini exists, etc.

Stunnel, an application that provides secure ‘tunneling’ for commonly used, insecure protocols (e.g. SMTP, POP3, etc.) has issued a security bulletin. There is a known flaw that could be utilized to inject arbitrary code and ultimately control where the connection goes. Imagine the emails you’re trying to send to consignors and/or customers being intercepted.

If you think this is being hyper-sensitive, you don’t internets enough.

Any applications installed on your systems must be justified, as per the PCI DSS v2.0:

[hr size=’big’]

2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system.

2.2.2.b Identify any enabled insecure services, daemons, or protocols. Verify they are justified and that security features are documented and implemented.

2.2.3.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.

2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.

[hr size=’big’]

If someone is going to install 3rd party software on your computer, be sure to ask them if they are going to maintain and patch that software on a daily basis. As a business bound by PCI DSS, applications must be patched on at least a monthly basis. For systems storing/processing/connected-to sensitive data, applications should be patched more-frequently – i.e. daily.

Without even considering PCI DSS, it’s common sense. An application installed with good intentions, can easily backfire on you if not properly maintained.

Our booth is booked for Sourcemart at this year’s NARTS Conference 2013 in San Diego! We’re looking forward to seeing clients we’ve known for years, as well as meeting new clients. Whether you’re a new store owner, a store owner in need of a hardware upgrade, or a store owner looking for a professional website, The Computer Peeps are looking forward to showing you the level of service we provide.

Be sure to stop by and see us at our booth! The focus this year is to raise awareness @ PCI DSS Compliance. We’ll be offering some great deals at our booth, so before you buy any consignment hardware to go with your consignment software, stop by and see us. You’ll save a lot of money and headaches. 🙂 Just ask around!

We’re also going to be donating a great item for this year’s NARTS Auction! In previous years, we’ve donated consignment hardware and consignment software support services, as well as consultation. What will it be this year?!?! Keep an eye on the NARTS Auction Preview page to find out!

Heads-up, Evernote users. Evernote is reporting they have been hacked and have issued a Security Notice. As a safety measure, they have initiated password resets for all accounts. Evernote has stated that no user content appears to have been compromised.

I know it’s a very common thing for people to use the same password and email address across multiple sites. Do not do that. Think about it, if your Evernote account was compromised and your email + password were the same for Gmail, Amazon, eBay, iTunes, etc. you would risk losing access to everything and even incurring some real expenses or data loss.

Stay safe and if you have any questions or comments, feel free to post below!

What is PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) v2.0 document is 75 pages long and details each item required of a business that accepts credit cards. It provides a set of rules and guidelines for properly securing cardholder data and personally identifiable information. If you process credit cards at your business, you are required to adhere to PCI DSS.

I Use A Credit Card Terminal, Not Software, So I Don’t Have To Be Compliant

False. If your business processes credit cards, you are bound to PCI DSS Compliance. And there’s no need to be defensive about any of this either. Just stop and think for a minute – how would you want someone to handle your credit card information + your personally identifiable information? Think about that next time you have to pay an antivirus bill or log in after 15 minutes of inactivity.

How Do I Get Compliant?

It’s actually easier than many people think, but there are a lot of pieces to it. We’re going to break this up into easier to digest chunks, because the goal here is to get every consignment and resale shop fully PCI DSS Compliant. It benefits you and your business to be on top of your game and that’s what the PCI DSS helps you accomplish.

I Want To Read The Entire PCI DSS Guide

It’s actually quite a good read. Securing systems, documenting processes, holding software vendors accountable for security issues, and covering your bases are all exciting and positive things. Your business can only benefit from scrutinizing every piece of your infrastructure, from usernames, to patch management; to internet usage policies and hardware/phone/device policies.

We have provided a convenient link to the PCI DSS v2.0 guide right here…

We’ve gone through every page of the PCI DSS guide and the majority of it, is best-practices that techs and system administrators have probably been badgering you about recommending to you for years.

Below is a concise list of the core sections of the PCI DSS. We will post a new entry, specific to each requirement, over the coming weeks.

Consignment and resale stores – it’s time to get compliant. No more DIY, no more having a friend-of-a-friend-of-a-sister’s-boyfriend setup stolen software on your systems. Credit card transactions and personal information are serious business. Can you imagine if your consignment database was stolen and every consignor/customer started to receive spam links from you with viruses or phishing pages? o_O

Don’t feel overwhelmed by all of this though. It’s doable, it’s a clear path, and you have to start somewhere.

Requirement 7: Restrict access to cardholder data by business need to know

[checklist]

Limit access to systems to only those authorized to do so.

Restrict access based on User ID

[/checklist]

Requirement 8: Assign a unique ID to each person with computer access

[checklist]

Assign unique User IDs to each employee[info_box style=”notice”]Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. However, Requirements 8.1, 8.2 and 8.5.8 through 8.5.15 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).[/info_box]

Is there an echo in here? On Dropbox’s user support forum, multiple users have reported that email addresses completely unique and intentionally obfuscated, received spam email.

Dropbox User Post | Click to Enlarge

As users have pointed out, spammers would have to get very lucky to guess such an email address, or the user email list was compromised.

Dropbox and users have suggested this might be part of last year’s breach, but users who registered after said breach have reported receiving messages.

This is as good a time as ever to mention security and online awareness. If you were utilizing an email address that you use for your consignment store and you signed-up for Dropbox with it, a spam email with a phishing link or other attack could find its way into your business systems.

Just be vigilant when it comes to the messages you receive and always think twice before opening messages or clicking links.